access

For me personally, the timeline of events surrounding the discovery of Lenovo’s SuperFish malware is ironic. Just a couple of days before it was discovered, I had a telephone call with a friend named Jon Stanley. Jon is someone I consider to be an elder statesman of the CFAA as he has been digging deep into the law for a long time — much longer than I have — and our call was basically to chat about all things CFAA-related. (to get a glimpse of what it’s like to talk to Jon, check this out)

One of the things we talked about was our favorite CFAA opinions and Jon told me his was Shaw v. Toshiba, 91 F.Supp.2d 926 (E.D. Tx. 1999). I had skimmed the high points a few years back but never really taken the time to go through it slowly and enjoy it like a snifter of brandy, so after we hung up, I pulled it up and began reading.

I immediately turned to the point that Jon and I discussed which is where the court focused on the silliness of folks trying to argue the Computer Fraud and Abuse Act is a “hacking” law – ha, the court knocked it out of the park! “[T]his Court does not see a blanket exemption for manufacturers in Title 18 U.S.C. § 1030; nor does it see the term ‘hacking’ anywhere in this statute.”Id. at 936. I love that statement — I have never seen the term “hacking” in there either and, to hear people continue referring to it that way makes me wonder if they also refer to the mail and wire fraud statute as intending to keep the crooked city slickers from taking advantage of honest country folk. (seriously, see page 1)

How does this apply to the Lenovo SuperFish Malware?

So now you’re probably wondering where I’m going with this, right? And, what it has to do with the Lenovo SuperFish malware?

Ok, did you catch the first part of that quote? The part about a “blanket exemption for manufacturers”?

The issue in Shaw was whether a computer manufacturer’s sale of laptop computers containing devices with defective microcode that erroneously caused the corruption or destruction of data without notice was a violation of the CFAA, because the instructions given by the defective microcode were an unauthorized transmission. Toshiba argued several things but, most applicable here, that “Congress never intended for the CFAA to reach manufacturers; rather, the CFAA is geared toward criminalizing computer ‘hacking.'” In other words, Toshiba argued that, because it was a manufacturer that did all of its “stuff” before the computer was shipped and sold to Shaw, its activities were not prohibited by the CFAA. The Court disagreed with Toshiba’s narrow interpretation:

Perhaps. But it seems more plausible that Congress, grappling with technology that literally changes every day, drafted a statute capable of encompassing a wide range of computer activity designed to damage computer systems–from computer hacking to time bombs to defective microcode.

Brilliant. Ultimately, the Court denied Toshiba’s Motion for Summary Judgment and allowed the case to proceed.

The lawsuits against Lenovo have already started to drop and will surely continue coming. While I have not read the individual complaints, I’d say it’s a safe bet there are some CFAA claims in there — and if not, maybe they should give Shaw v. Toshiba a read (and not just for pleasure).

So, here’s a little test for you: if they do bring a CFAA claim, do they have to plead the $5,000 loss?

Hey Jon, by the way, thank you!

Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.

Plaintiff had interesting claim under the CFAA but couldn’t get there due to that pesky “loss” requirement

Does an employer violate the Computer Fraud and Abuse Act by remotely wiping an employee’s personal mobile device that was connected to the employer’s server and contained its data?

The United States District Court for the Southern District of Texas was poised to answer this question but did not reach the issue. The court found, as in most of these cases, the plaintiff did not satisfy the jurisdictional threshold $5,000 loss requirement.

What we did get, however, is a strong analysis of how the federal courts in Texas interpret the loss requirement of the CFAA.

Something to think about — would this have violated the CFAA?

The plaintiff in Rajaee v. Design Tech Homes, Ltd. claimed that his job required him to have constant access to email to do his job. His employer did not provide him with a mobile device so he used his own personal iPhone 4 to conduct his work for Defendants. Plaintiff’s iPhone was connected to his employer’s network server to allow him to remotely access the email, contact manager, and calendar provided by the employer. The parties disagreed over who connected the device or whether it was authorized.

Plaintiff resigned his employment with Defendants and, a few days later, Defendants’ network administrator remotely wiped Plaintiff’s iPhone, restoring it to factory settings and deleting all the data–both personal and work-related–on the iPhone.

Plaintiff sued Defendants alleging that their actions caused him to lose more than 600 business contacts collected during his career, family contacts, family photos, business records, irreplaceable business and personal photos , and videos, and numerous passwords.

Plaintiff sued for violations of the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and various state law claims.

Violation of the Electronic Communications Privacy Act

The Court found the Defendants’ actions did not violate the Stored Communication Act prong of the ECPA: “the Fifth Circuit has held that ‘information that an individual stores to his hard drive or cell phone is not in electronic storage under the statute.’” The information Plaintiff claimed was deleted was stored on his cell phone and not covered by the SCA.

Unauthorized Access Under the Computer Fraud and Abuse Act

The Court does not reach the issue of whether Defendants’ actions were an unauthorized access under the CFAA but that doesn’t mean we can’t think about it ourselves. In fact, over a year ago my friend Jim Brashear (@JFBrashear) and I talked about this and he suggested I write something about it. I didn’t. I should have.

What we do know from the court’s opinion are the following things:

Plaintiff owned the iPhone

The iPhone contained Plaintiff’s personal data

The iPhone was connected to Defendants’ server

The iPhone contained Defendants’ data

Defendants’ network administrator somehow remotely wiped all of the data — Plaintiff’s and Defendants’ — from the iPhone

We also know that a cell phone is considered a “protected computer” under the CFAA (post). So, we have a protected computer that — somehow — has its data wiped by someone other than its owner. What we do not know from the opinion, but need to know, are:

What authorization did Plaintiff have to retain Defendants’ data on his device after his employment terminated?

What authorization did Plaintiff give Defendants to access his device when (whomever) connected it to Defendants’ server (beyond the fact that by connecting to the server Plaintiff was necessarily giving Defendants authorization for their server to communicate with his device)?

Assuming Plaintiff gave any authorization to Defendants, did that authorization continue for as long as Plaintiff maintained the connection to Defendants’ server?

What means did Defendant’s network administrator use to remotely wipe the device and what steps were taken beforehand to give Defendants the ability to do that?

I believe the answers to these questions are important in this analysis. If I were the judge, these are things I would want to know.

A hack back?

Thinking in the big picture, this scenario reminds me of the ongoing debate over whether it is acceptable for a company to “hack back” — that is, after a hacker has stolen data from a company, whether the company can in turn hack the attacking hacker (“you drew first blood” – Rambo) to either retrieve or destroy its (or its customers) data that is now residing on the hacker’s system likely in some far off land.

The arguments on both sides of the hack back issue are vigorous and I am not foolish enough to think I could resolve the issue here. I just want to point out that, in the big picture, the rationale seems somewhat similar: someone else has your data, they are not entitled to keep it, you do not want them to keep it, so go zap it!

Loss Under the Computer Fraud and Abuse Act

The real value in the Rajaee Opinion comes from the court’s analysis of the loss issue. As I discussed the CFAA’s loss requirement in another post, “I find it to be one of the more challenging aspects of any civil CFAA claim as well as an important feature of the CFAA to keep it from being used in civil cases that do not justify ‘having a federal case made out of it.’”

Meeting the loss requirement is a jurisdictional threshold that must be met before a plaintiff can bring a civil claim under the CFAA. “Although the CFAA is a criminal statute, Section 1030(g) provides a private right of action ‘for [a]ny person who suffers damage or loss by reason of a violation of this section.’”

The terms “damage” and “loss” are statutorily defined terms that each have a unique meaning under the CFAA, which meanings also differ from the meaning of “damages.” This is important to remember.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Capitol Audio Access, Inc. v. Umemoto (for CFAA, disclosure of info not “damage” and evading license not “loss”)

Courts still routinely get this wrong despite the fact that “loss” is defined in subsection (e)(11): “the term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.

While the Rajaee Opinion does not rise to the level of analysis of the Nosal Court’s Opinion which throughly discusses the various views of the CFAA loss jurisprudence, it is one of the more thorough ones I have seen from a federal court in Texas.

Because this case involves a ruling on a motion for summary judgment, the Plaintiff has the burden of providing evidence to support its allegations. The Rajaee Court required Plaintiff to point to evidence that, if believed by the trier of fact, would be sufficient to show that his loss did in fact exceed $5,000. Plaintiff referred the court to a declaration in which he described the losses he suffered as a result of Defendants’ deletion of his personal data as being:

pictures of his personal home rehabilitation project, which decreased the value of the remodel by at least $50,000;

pictures and video of family, friends, and his dogs, which he values at $3,500;

all cell phone contacts after 2009, which he values at over $50,000 based on his diminished employability;

all of Plaintiff’s text messages, which he values at $1,000; and

all of his notes and email accounts, which he values at $600.

The court was correct in agreeing with the Defendants who argued that none of these items qualified as loss. “Plaintiff [did] not produce[] evidence of any costs he incurred to investigate or respond to the deletion of his data, nor do the losses and damages for which he does produce evidence arise from an ‘interruption of service.’”

Because of this, the court dismissed the CFAA claim.

Important CFAA Loss Principles Applied in this Case

In reaching its decision, the court referenced and stated the following propositions of law that will be helpful for any party to understand in a civil case in the federal courts in Texas, especially the Southern District:

The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Id. § 1030 (e) (11).

I often write about corporate espionage and trade secrets but I bet some of you may still be trying to imagine real-world scenarios that demonstrate exactly what those terms mean and how they apply. Let me tell you a story and see if it helps it make more sense.

Let’s Talk About Your Business

Let’s say you have a business and you have some really valuable information that your employees use when they are working for your business — the most important of which is the list of your customers and all of the background information you have compiled on those customers. Because you know how valuable this information is, you have had your company’s IT department implement certain technological limits to keep people from downloading that information to USB drives, Dropbox, or emailing it to their Gmail account. You’re really thinking ahead of the curve in trying to safeguard your trade secret information and you’re feeling pretty proud of yourself. And, you should, because most businesses don’t go to such efforts to protect their valuable trade secret information.

Zig Ziglar had a saying about dishonest employees: “If a person is dishonest, I hope he is dumb. I’d hate to have a smart crook working for me.“

You, however, hired smart …

Now let’s imagine you had pretty senior and high ranking person in your company decide to leave to go work for one of your competitors where having your customer list (with all the extra information included) would be a great asset to them. And, you later come to believe, the competitor was actively trying to hire your employees and was trying to get them to take your trade secret information and bring it with them. You, however, have thrown a kink in their plans with your on-the-ball IT department’s information security practices. Or so you think.

Before telling you of her intentions to leave your company, this soon-to-be former employee still has access to your trade secret customer list from her computer and decides to access it on the system and pull it up for one last look. Can you imagine what she does next?

She whips out the trusty little smart phone and takes picture after picture after picture of all of the information on her computer monitor!She didn’t download it — she couldn’t. But she has it in several digital images on her mobile phone and when she goes out the door of your company, so too do your highly valuable trade secret customer lists.

Here Is The Real Life Case

This is a storified version of the allegations made by PNC Bank against its former employee, Eileen Daly, and her new employer Morgan Stanley in the case PNC Financial Services Group, Inc. v. Daly and Morgan Stanley, Inc. (Complaint) filed in the United States District Court for the Western District of Pennsylvania on March 14, 2014.

What makes this case (as alleged, anyway) a case of corporate espionage? Simple. It is one company trying to steal the valuable information of another company. It happens all the time. In this case it just so happened to be by an “insider” — a departing employee.

This is Clearly a Trade Secrets Case — But Could it Also Be a CFAA?

PNC sued the defendants for several causes of action, including misappropriation of trade secrets and unfair competition — exactly what you would expect in a case like this, right? It did not, however, sue them for “unauthorized access” in violation of the Computer Fraud and Abuse Act and, while I can think of several reasons why PNC may not have done so, it did get me to wondering if they could have. I mean after all, there have been much weaker CFAA cases filed in Pennsylvania District Courts.

What Does the Statute Say?

To violate the Computer Fraud and Abuse Act under the most lenient part of the statute, the defendant must “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] … information from any protected computer;” 18 U.S.C. § 1030(a)(2)(C). And here, the information could not be downloaded, even though attempted, sooooo …..

Was There an Access?

Maybe so. She did have to access the computer system to retrieve the information and pull it up on her computer monitor. The question of whether her access was unauthorized or exceeded authorized access has not been conclusively determined by the Third Circuit, however, the bulk of the district court cases tend to follow the Strict Access Theory of the Ninth and Fourth Circuits, under which it probably would not have been improper, though in the Fifth and Eleventh Circuits under the Intended Use Theory, it may very well have been.

Was Information Obtained?

Yes, it was. The defendant took pictures of the trade secret customer lists — information — and kept those pictures on her smart phone. That sounds like the obtaining of information to me.

The federal district courts in Pennsylvania are extremely strict when it comes to calculating the loss under 18 U.S.C. § 1030(g). Last year I handled the defense of a civil CFAA case in the Eastern District of Pennsylvania and thoroughly briefed two motions to dismiss that were heavily premised on the Pennsylvania district courts’ strict loss jurisprudence. (Here are the motions:Motion to Dismiss and Motion to Dismiss Amended Complaint) I convinced the plaintiff to dismiss the claims against my client with prejudice before the plaintiff filed a response or the court ruled on the motions, however, I remain very confident that the positions asserted in the motions were consistent with the courts’ standards on this issue and would have been successful.

Under these standards, I cannot imagine how investigating the taking of pictures of a computer monitor could qualify as a “loss” or “damage” such to get the case past 18 U.S.C. 1030(g) and survive a motion to dismiss. I haven’t put a lot of thought into this, and am not saying it can’t happen, I just haven’t thought of how it would.

My guess is this is why the attorneys representing PNC didn’t bother throwing in a claim for violating the CFAA — well that, and, they probably didn’t see a need for it since they were already in federal court on diversity jurisdiction!

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Is Texas a good state for a plaintiff to bring a Computer Fraud and Abuse Act (CFAA) claim?

Yes it is, and a recent case reaffirms that the Federal District Courts in Texas are generally favorable jurisdictions for plaintiffs with CFAA claims because of two key issues, access and loss jurisprudence.

Facts of the Case

The facts are fairly typical. According to the Complaint, Absolute Energy, the plaintiff, employed J. Trosclair. On April 18, 2013, Absolute Energy terminated J. Trosclair who then opened SBJ Resources, a company that competed with Absolute Energy. Absolute Energy alleges that upon J. Trosclair’s termination, his authorization to access Absolute Energy’s computer system (including email system) was terminated. R. Trosclair is J. Trosclair’s wife and was not employed by Absolute Energy which alleges R. Trosclair was never authorized to access its computer system.

After his termination, J. Trosclair and R. Trosclair accessed Absolute Energy’s computer system without authorization, sent, received, and forwarded email messages belonging to Absolute Energy, and engaged in a business endeavor that directly competed with Absolute Energy using Absolute Energy’s computer system, including to conduct business with Absolute Energy’s customers.

Absolute Energy Filed a Lawsuit

Absolute Energy filed a lawsuit against J. Trosclair and R. Trosclair for violating 18 U.S.C. § 1030 (a)(2) and (a)(4) of the Computer Fraud and Abuse Act and misappropriation of trade secrets (though it is not clear if this claim was pursuant to the newly enacted Texas Uniform Trade Secrets Act (TUTSA)).

The Trosclairs filed a Motion to Dismiss arguing the following points, and included declarations which contradicted the allegations in the Complaint:

J. Trosclair was a 25% owner of Absolute Energy which gave him authorization to access its computers;

the email account he was given was an email address and password for a Google operated email account that utilized computers and servers owned by Google, not Absolute Energy;

The Google email system was used through J. Trosclair’s own personal computer and information received was automatically downloaded to that computer;

Absolute Energy did not ever de-activate the Google email account that was assigned to J. Trosclair or notify him that he was not supposed to be using that account from his own personal computer;

R. Trosclair’s only use of the Google email account was when she was gathering emails to forward to their attorney for purposes of an earlier lawsuit that J. Trosclair had filed against Absolute Energy in state court;

Absolute Energy did not have a written employment agreement nor did it promulgate employee guidelines that prohibited employees from emailing Absolute Energy documents to other personal computers; and

The allegations in the Complaint were adequate to support the CFAA claim and, instead of attacking the sufficiency of the allegations, the Trosclairs include declarations as evidence to contradict the substance of the allegations, which is improper for a Rule 12(b)(6) motion to dismiss;

The allegations in the Complaint were sufficient to establish a loss as it alleged the Trosclairs caused a loss that exceeded $5,000 in value; and

Given that for purposes of a Rule 12(b)(6) motion to dismiss the allegations asserted in the Complaint are to be taken as true, the motion should be denied.

Legal Principles and Court’s Analysis in Denying the Motion to Dismiss

The primary reason why the court denied the motion to dismiss is, what many laymen may feel like is a technicality, but in reality is a well-settled principle when dealing with motions to dismiss; that is, they are generally not the proper vehicle for addressing factual disputes. Generally they are intended for such cases where you say, “even if we assume that everything the plaintiff says is true, he still has no case because of x, y or z …” In this case, the Trosclairs tried to dispute the veracity of Absolute Energy’s factual allegations which, by definition, created a factual dispute that almost always requires denial of a motion to dismiss on such grounds. And, it did.

Point of Law 1. A motion to dismiss a Computer Fraud and Abuse Act claim in which the the defendants’ argue that the plaintiff’s allegations are false because, contrary to plaintiff’s allegations, the defendants really were authorized to access plaintiff’s computers, is an argument that raises a factual dispute that could not be decided on a motion to dismiss. This is a procedural issue that is germane to all motions to dismiss, regardless of the particular subject matter of the claim.

In ruling on the motion, the court also provided some succinct statements of important principles concerning the Computer Fraud and Abuse Act:

Point of Law 2. The elements to a Section 1030(a)(2) claim require a plaintiff to show that a defendant: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information, (4) from any protected computer, and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Point of Law 3. The elements to a Section 1030(a)(4) claim require a plaintiff to show that a defendant: (1) accessed a protected computer, (2) without authorization or exceeding such authorization that was granted (3) knowingly and with intent to defraud, and thereby (4) furthered the intended fraud and obtained anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Point of Law 4. The court reaffirmed its adherence to the Intended Use Theory that is followed in the Fifth Circuit which stated that “[a]ccess to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.” quoting United States v. John, 597 F.3d 263, 272 (5th Cir. 2010).

Point of Law 5. To satisfy the loss requirement and state a civil claim under the CFAA, plaintiff is not required to allege details or the exact nature of the loss. Rather, plaintiff must simply allege sufficient damages to establish that the elements of a 18 U.S.C. § 1030(g) claim have been met.

My Thoughts on the Case

Did the plaintiff adequate plead an unauthorized access to a protected computer?

Regarding the dispute over the access issue, I believe the court was correct in its ruling based on the arguments that counsel presented in their motions. As a general rule, a motion to dismiss should be denied when the arguments supporting the motion are that the plaintiff’s facts are wrong, as was the case here. However, I have a problem with it — and regular readers know that if I have a problem with a successful CFAA case, there just may be a problem there!

I recently defended a CFAA case in which the plaintiff’s allegations of access were simply bald allegations that were too vague and conclusory to determine how the wrongful access purportedly occurred or, more importantly, what protected computer was even accessed. In my view, two things that should be required for any CFAA wrongful access claim are (1) specificity as to what protected computer was accessed and (2) how the plaintiff believes the access occurred, in general. Because neither of these points had been pleaded in my case, in my motion to dismiss I thoroughly briefed the law that says a court is not always required to accept the plaintiff’s allegations as true because in cases where the plaintiff makes nothing more than “bald allegations” because they are conclusory and, as a matter of law, not entitled to be assumed true. Here is the general gist of the three questions a court should ask per this argument, a “no” to any one question means the allegations in the complaint are insufficient:

Ignoring all “bald allegations” and “legal conclusions,” do the “factual allegations” support the elements of the claim?

If so, does common sense and judicial experience suggest the plaintiff’s theory of the claim is plausible or that there are more likely alternative explanations?

If not, are the factual allegations supporting the discrete nuances of the claim strong enough to nudge the claim across the line from conceivable to plausible?

If you are interested in reading more of this argument, here is the Brief in Support of Motion to Dismiss Amended Complaint. There are also significant issues with the “information and belief” allegations, which is another issue that I briefed in the foregoing motion, which could be helpful in this case as they are used quite freely.

There are several key allegations in Absolute Energy’s Complaint that are pleaded as bald allegations and/or pleaded on information and belief and, therefore, should not be entitled to the presumption of truth:

“12. Upon information and belief, Jason and Rhonda did, after Jason’s termination from Absolute, access on multiple occasions the computer system and e-mail system and accounts of Absolute, without the knowledge, permission, or authorization of Absolute.”

“computer system and e-mail system and accounts” is too generic of an allegation — which specific device or account is being claimed as a protected computer that was wrongfully accessed?

without more specificity as to what actual device or account was accessed, such a generic allegation should not suffice

how were the accesses accomplished? this too is important to know because it sheds a lot of light on the plausibility issue mentioned in the 3 question test.

“10. Upon termination of Jason Trosclair’s employment, his authorization to access the computer system and e-mail accounts and/or system of Absolute was terminated.”

This goes to the plausibility issue — how was his authorization terminated?

Was he notified in an exit interview? Were his credentials revoked? Was there a policy somewhere that said it was terminated?

Without some specificity on this issue, this is nothing more than a “threadbare” legal conclusion that is not entitled to a presumption of truth.

Now add in the fact that he was a 25% owner of the company and his access to the email account was never shut off — does the mere fact that plaintiff pleaded “his authorization … was terminated” with nothing more push this across the line from conceivable to plausible?

The court ruled on the issues presented by counsel and, based on the arguments in the motions and responses, it made the safe ruling. However, based on the facts we learned from the Trosclair’s declarations, there are some significant issues that Absolute Energy will need to address with its case — if not its Complaint — otherwise this may be a short lived victory.

Did the Plaintiff adequately plead the jurisdictional threshold $5,000 loss?

Not even close (IMHO). I have written extensively about the $5,000 loss requirement (see posts). Have you, the readers of this blog, been paying attention? Let’s find out … according to the court:

Plaintiff has alleged a loss exceeding $5,000. See Complaint, ¶ 23. To state a claim under the CFAA, Plaintiff is not required to allege … details or the exact nature of the loss. Rather, Plaintiff must simply allege sufficient damages to establish that the elements of a Section 1030(g) claim have been met, as Plaintiff has done here. [The court then footnotes the following:] Plaintiff’s damages allegations are sparse but are sufficient for present purposes, when read in light of the allegations in ¶ 29 of the Complaint. Because it is better practice, Plaintiff will be required to elaborate on the damages in an amended complaint ….”

I have said all I can say about this case for now and it will be interesting to see how it progresses.

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Does a person violate the Computer Fraud and Abuse Act by accessing a remote computer without authorization if he is not aware that he is even accessing that remote computer?

The Sixth Circuit says no. The Computer Fraud and Abuse Act prohibits the intentional access of a computer without authorization. When a defendant is not aware that he is accessing a computer remotely, he cannot be said to be accessing it intentionally. Thus, he cannot be violating the CFAA.

Like this:

A Kentucky man was convicted of violating the Computer Fraud and Abuse Act for hacking into specific accounts on the website sodahead.com and replacing purported racist and homophobic content with less offensive content. Michael Pullen was able to hack into the accounts by exploiting a software vulnerability. The man was sentenced to 5 months in prison and 2 months probation, as well as having to pay $21,000.

In denying a motion to dismiss a civil Computer Fraud and Abuse Act claim, a district court found that a departing employee’s purported cover-up of nefarious activity by deleting e-mails from his “sent” and “deleted items” folders on Plaintiffs’ computer system was sufficient to allege damage pursuant to 18 U.S.C. § 1030(c)(4)(A)(i) which provision, however, does not address the issue of damage at all — but only loss. The case is Sysco Corp. v. Katz, et al., 2013 WL 5519411 (N.D. Ill. Oct. 3, 2013) and I find it troubling.

Damage v. Loss — what difference does it make?

A lot. The two terms are completely different and each have their own unique role within the statutory framework of the CFAA.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Capitol Audio Access, Inc. v. Umemoto (for CFAA, disclosure of info not “damage” and evading license not “loss”)

Plaintiffs’ Allegations

In Sysco Corp., Defendant Katz was employed by Plaintiff Sysco Corp. He began discussing an offer of employment with Defendant Reinhart Foodservice (Plaintiff’s competitor) in April 2013, accepted an offer of employment with Reinhart on May 8, 2013, but did not announce his resignation until July 1, 2013. Plaintiff alleges that during the interim period from April 2013 until July 1, 2013, Katz emailed confidential and proprietary trade secret information from his company email account to his wife’s personal email account. Further, the Complaint states

Katz then deleted the SGR/SC confidential e-mail messages and attachments he had sent to his wife’s e-mail, by first deleting them from his “sent” box. Once he did this, those messages and attachments migrated to his “deleted items” folder. In an effort to permanently delete all of the messages, he then took the additional step of deleting the messages and attachments in the ‘deleted items’ folder, such that the record of Katz sending the e-mail messages and documents to his wife’s e-mail account all but vanished. Only because the Sysco Companies acted quickly, did they discover that Katz had intentionally attempted to delete e-mails containing confidential documents that he had sent to his wife. But because Plaintiff’s acted quickly, they were able to restore this information in Outlook and review the messages that Katz had sent to his wife’s email account, and the types of documents attached to those messages.

Complaint ¶ 40. Plaintiff alleges both access violations (Complaint ¶¶ 63, 65) and transmission violations (Complaint ¶ 66) of the CFAA. Plaintiff’s Complaint alleges that it sustained a $5,000 loss and properly references the costs for which such loss are typically acceptable: “Through their actions in violation of 18 U.S.C. § 1030 (a)(2), 18 U.S.C. § 1030(a)(4), 18 U.S.C. § 1030(a)(5)(A)-(C), Defendants have caused Plaintiffs to incur losses for responding to and investigating Defendants’ conduct and for conducting a forensic damages assessment, which continues. Such losses exceed $5,000.00 in a one-year period, in violation of 18 U.S.C. § 1030(g) and (c)(4)(A)(i)(I).” Complaint ¶67.

Defendants’ Motions to Dismiss

Defendants Reinhart filed a Motion to Dismiss and Katz filed a Motion to Dismiss which basically adopted Reinhart’s. Katz argued “Plaintiffs’ claim under the CFAA must fail because Plaintiffs have not alleged that they suffered either “loss” or “damage” as defined under the CFAA. Katz joins and incorporates by reference Reinhart’s arguments as if fully stated herein.” Id. at p. 7. Reinhart’s Motion seems to have adequately raises the issue of whether Plaintiff sufficiently alleged a loss which, as addressed ad nauseum in these posts, this article, and this article, and is an absolute prerequisite jurisdictional threshold to moving forward on a civil CFAA claim. Motion to Dismiss p. 7-8.

The Court’s Focus on Damage – Ignoring the Jurisdictional Threshold Requirement of Loss

The court in this case seems to treat damage and loss as an either/or proposition — where finding one will suffice for the other: “To succeed on a CFAA claim brought under § 1030(a)(5)(B), a plaintiff must prove the damage or loss resulted in losses to one or more persons during any one-year period aggregating at least $5,000 in value. 18 U.S.C. § 1030(c)(4)(A)(i). Technically, that may be correct, however, to prevail on a civil claim pursuant to that section, there must be a loss. Section 1030(c)(4)(A)(i) is the second level of what must be established to assert a civil claim for violating the CFAA. Here is how it works:

Section 1030(g) is what authorizes a civil claim for violations of the CFAA: “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator . . . . A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).“

Of the 5 factors listed in subsection (c)(4)(A)(i), only one applies to business cases (for all practical purposes) — the loss requirement — without which there can be no civil claim: “(1) loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value;”

Unless both steps 1 and 2 above are satisfied, there can be no civil claim for violating the CFAA in most business cases, including this one.

Loss and Damage Are Not Interchangeable — If There Is No Loss, There Is No Civil CFAA Claim

In its analysis, the Sysco Court completely blows past the loss requirement of 18 U.S.C. §1030(c)(4)(A)(i)(1) and addresses only whether there is damage which does not satisfy the jurisdictional threshold for bringing a civil CFAA claim: “Reinhard and Katz contend that Plaintiffs have not alleged damage or loss as those terms are used by the CFAA…. These allegations are sufficient to allege damage as to Katz, but not as to Reinhart.”

Perhaps the Sysco Court simply assumes, without stating, that the Complaint adequately pleaded the loss and it did not need to be addressed any further. However, the language used by the court suggests otherwise; it suggests that the court treated the loss and damage requirements as being interchangeable although the statutory language of section 1030(g) is very clear that they are not — “A civil action … may be brought only if” — is a pretty direct statement.

As to the allegations of loss in the Complaint, the Plaintiff did a better job than most do by invoking alleged costs in responding to the wrongful activity, however, given the facts of the case it is not certain that such facts are plausible and they may require further elaboration. Plaintiffs claim “losses for responding to and investigating Defendants’ conduct and for conducting a forensic damages assessment, which continues.” Complaint ¶67. However, the facts alleged are that Defendant Katz deleted email from the Outlook program on Plaintiff’s computer system, specifically from the “sent” and “deleted items” folders. Determining whether $5,000 in costs is reasonable for restoring Outlook emails — most likely by in-house IT folks — is reasonable is also a requirement and should certainly be addressed whether in a Motion for Reconsideration or Motion for Summary Judgment.